#### Abstract

Authentication is one of the most fundamental services in cryptography and information security. Compared with the traditional authentication methods, group authentication allows a group of users to be authenticated at once rather than authenticating each of these users individually. Therefore, it is more desirable in the group oriented environment, such as multicast/conference communications. In this paper, we first demonstrate that a recent group authentication scheme by Chien (Security and Communication Networks, 2017) suffers some security flaws, i.e. an adversary in the asynchronous communication model can pretend to be a legitimate group member without being detected. We then use the Anonymous Veto Networks (AV-net) to patch Chien’s scheme, so that its security can be rigorously proved in a well-defined security model.

#### 1. Introduction

Authentication confirms whether some entity is who or what it claims to be. It is an important security service in cryptography and information security. Traditionally, the authentication process is carried out between two parties. The prover proves its identity to the verifier using a single or some combination of the following methods: something it has, something it knows, or something it is. The verifier will accept the proof if the prover, indeed, possesses the credential. However, this one-to-one authentication approach is inefficient in the group oriented environment, e.g., multicast/conference communications and broadroom elections [1, 2]. If each user needs to authenticate every user’s identity, a large number of authentication operations (quadratic to the number of users) need to be performed across the entire group. To address this problem, group authentication [3] has been proposed recently, so that instead of authenticating each user individually, all users in the group can be authenticated at once. If all users are legitimate group members, the group authentication is sufficient to prove that they all belong to the same group. Even if there exist some nonmembers, the group authentication still can be used as a preprocessing step before applying some traditional authentication techniques to identify those nonmembers.

In general, a group authentication scheme consists of two phases. In the *initialization phase*, the group manager (GM) generates a credential for each group member, and these credentials are sent through some secure networks. In the *authentication phase,* each player uses her credential to compute a token and broadcasts it. As follows, every user can use the revealed information to verify whether all these users are belonging to the same group. Two security requirements are fundamental for group authentication schemes. One is that if all users are legitimate group members, the authentication will always be successful. The other is that any nonmember with no valid credential cannot pretend to be a group member without being detected. Moreover, two other requirements are also highly desirable for group authentication schemes: (1) reuse of the credentials in multiple authentication sessions; (2) allowance of players to broadcast their tokens through asynchronous networks. Note that the first requirement helps to avoid the cumbersome processes of distributing credentials for every authentication session, and the asynchronous networks are easier to be established than the synchronous ones, especially in the distributed environment.

##### 1.1. Our Contributions

In his work [4], Chien has proposed a group authentication scheme, claiming to satisfy the abovementioned requirements. In this paper, we first demonstrate that Chien’s scheme fails to achieve its claimed security in the asynchronous networks. In particular, an adversary in the asynchronous communication model can always wait until the other legitimate users having revealed their tokens and then fabricate a valid token using the revealed ones. We then use a novel technique, called *Anonymous Veto Networks* (AV-net), to patch Chien’s scheme. To avoid the “design-break-patch loop,” our proposed scheme is rigorously analyzed in a well-defined security model [5].

##### 1.2. Organization of the Paper

The rest of the paper is organized as follows. In Section 2, we briefly review some related works in the literature. Chien’s scheme is described and analyzed in Section 3. In Section 4, we outline some preliminaries, including notations, building blocks, and security models. In Section 5, we introduce our improvement of Chien’s scheme and analyze it with respect to security and efficiency. Finally, we conclude in Section 6.

#### 2. Related Works

After the concept being initially introduced by Harn [3], group authentication has been widely accepted as a useful tool in cryptography to simultaneously prove that a group of users are all legitimate members [6]. Recently, a number of group authentication schemes have been proposed in the literature. For example, Chien [4] used a different mathematical structure to renovate Harn’s scheme, with the purpose of allowing the credentials to be used in multiple trials in asynchronous networks. Liu et al. [7] considered the resource restrained environment and proposed a lightweight group authentication scheme in which the authentication is executed by checking whether the interpolation of the credentials returns a polynomial with the expected degree. Mahalle et al. [8] used the threshold Paillier cipher to design a group authentication scheme for the Internet of Things. Li et al. [9] extended the functionalities of group authentication so that not only the group members can be authenticated at once but also pairwise keys can be established among the group members. Guo et al. [10] and Elmouaatamid et al. [11] independently explored how to further trace the nonmembers if the group authentication fails.

However, a common drawback of these existing works is that their security is only justified using heuristic arguments rather than formal security proofs, and several of these schemes have already been found to contain security flaws. For example, Ahmadian and Jamshidpour [12] showed that Harn’s scheme is insecure because an adversary in the asynchronous networks can impersonate a group member without being detected. In paper [3], Harn simply conjectured that the adversary needs to reconstruct all the polynomials to fabricate a valid token. But, this adversary may use a very novel method, called the linear subspace attack, to fabricate a valid token without recovering any of the polynomials. In their work [5], Xia et al. proposed a formal security model for group authentication that captures the main security requirements. This work has also improved Harn’s scheme so that the modified scheme can be rigorously proved to achieve the desirable security properties.

In this paper, we first demonstrate that Chien’s scheme is also insecure in the asynchronous networks. We then propose an improvement of Chien’s scheme and prove its security using the security model in paper [5].

#### 3. Analysis of Chien’s Scheme

##### 3.1. Description

Note that our description here is slightly different from Chien’s original scheme [4]. We use a symmetric bilinear map in order to simplify the description, while Chien uses an asymmetric bilinear map. It is well known that compared with the symmetric bilinear map, the asymmetric one has advantages in security and bandwidth, but our attack against Chien’s scheme also works when an asymmetric bilinear map is used instead.

We denote and as two finite cyclic groups of order for some large prime . A bilinear map is defined between these two groups, satisfying the following properties:(i)Bilinear: the map is said to be bilinear if for all and all (ii)Nondegenerate: the map does not send all pairs in to the identity in (iii)Computable: there exists an efficient algorithm to compute for any

Chien’s multiple group authentication scheme works as follows:(i)Init: GM first selects two finite cyclic groups and with prime order and a bilinear map . Denote as a generator of . GM then selects a secret and sets . GM selects values for . GM associates the pairwise different integers with the group members. Finally, GM outputs the system parameters .(ii)Dist: GM selects a random polynomial over with degree , such that . GM, then computes the credentials , and sends them to the group members through the secure channel.(iii)Comp: in the -th session (), every participating user in computes her token and broadcasts it, where is the Lagrange coefficient.(iv)Auth: in the -th session, every user can verify whether all the users are legitimate group members by checking:

Note that if all players are legitimate group members, we have . Also, thanks to the bilinear property, this further implies that the abovementioned equation holds. But, if there exist some nonmembers, the relation can only satisfy with negligible probability. Therefore, the abovementioned equation can be used to check whether a group authentication is successful.

##### 3.2. Analysis

Now, we demonstrate that, in the asynchronous communication model, an adversary who has no valid credential can pretend to be a legitimate group member without being detected. Without loss of generality, suppose that attends the -th group authentication session together with legitimate group members and would like to impersonate the group member . The attack works as follows:(i)Each legitimate group member computes and broadcasts her token , where is the Lagrange coefficient.(ii)After receiving these tokens, modifies them as for and interpolates , where(i)Finally, computes the token , where , and broadcasts .

At this time, the group authentication will be successful because . The consequence is that the adversary has impersonated the group member without being detected. The main reason for this attack is that since the Lagrange coefficients can be publicly computed, can remove them from the revealed tokens and then uses the modified tokens to interpolate a new valid token. To solve this problem, we need to disable ’s ability of removing the Lagrange coefficients from the revealed tokens.

#### 4. Preliminaries

##### 4.1. Notations

We assume that all players are probabilistic polynomial time (PPT) algorithms with respect to the security parameter . Standard notations are used for probabilistic algorithms and experiments. For example, if is a probabilistic algorithm, then denotes the result of running on inputs , and so on. We denote as the experiment of assigning as . If is a finite set, then we denote as the operation of picking an element uniformly from . Moreover, denotes the probability that the predicate will be true after the ordered execution of the algorithms , and so on. A function is called negligible if for all , there exists a such that for all .

##### 4.2. Building Blocks

Shamir secret sharing [13]: it shares the secret value among users, so that any or more users can work together to recover the secret, but less than users cannot get any information of the secret. In the sharing phase, the dealer first selects a random polynomial over with degree , where . Then, the dealer computes the shares and sends them to each user through the secure channel. Here, are public parameters associated with the users that are pairwise different. In the reconstruction phase, any subset (where ) of these users can reconstruct the secret by Lagrange interpolation: , where is called the Lagrange coefficient.

Anonymous veto networks (AV-nets) [14]: they assume that there exist broadcast channels, and all the messages are exchanged through these channels. Suppose users are involved, and then the protocol works as follows:(i)Round 1: each user selects a value and broadcasts . also proves that she has the knowledge of without revealing it, e.g., using the Schnorr identification technique [15]. When this round finishes, every user computes (ii)Round 2: every user broadcasts a value and proves the knowledge of within without revealing it. Now, we have

To see that the abovementioned property always holds, by definition, ; hence, we have

##### 4.3. Security model

We adapt the models and definitions in paper [5] and prove our proposed scheme using this security model. The participants: there are four types of participants in group authentication schemes:(i)Group manager (GM): the GM initializes the protocol and generates credentials for the users. In any authentication protocol, the user needs to possess some secret that is unknown to the others.(ii)Users: each of the users will receive a credential from the GM, and they will use their credentials to participate in the group authentication.(iii)Inside adversary: the inside adversary controls at most users, where is the threshold such that . can obtain these users’ internal states. ’s purpose is to learn some secret information or to pass the group authentication by herself.(iv)Outside adversary: the outside adversary does not own any valid credential generated by the GM, but her purpose is to impersonate a group member in the group authentication without being detected. Communication model: we assume that there exists a secure channel between the GM and every user, so that the credentials can be distributed securely. Moreover, we assume that every participant is connected to a broadcast channel, where any message sent through this channel can be heard by the other participants within some specified time bound. Note that the broadcast channel is only assumed to be asynchronous, such that messages sent from the uncorrupted users to the corrupted ones can be delivered relatively fast, the case in which the adversary can wait for the messages of the uncorrupted users to arrive, then decide on her computation and communication, and still get her messages delivered to the honest users on time. In comparison, all the users need to send their messages simultaneously in the synchronous networks. Therefore, adversaries in an asynchronous network are more powerful as they could obtain more information to assist their attacks. System model: the group authentication scheme is specified by the following four randomized algorithms: *Init*, *Dist*, *Comp*, and *Auth*.(i)The initialization algorithm *Init* is run by the GM. *Init* takes as inputs the security parameter ; it outputs the system parameters .(ii)The distribution algorithm *Dist* is run by the GM. *Dist* takes as inputs the system parameters and the number of users ; it outputs a set of credentials . These credentials are sent to through the secure channel, where denotes the set of all legitimate group members.(iii)The computation algorithm *Comp* is run by every user. *Comp* takes as inputs the system parameters , the session index , the set of participated users , and a credential ; it outputs a token through the broadcast channel.(iv)The group authentication algorithm *Auth* is run by the participated users. *Auth* takes as inputs the system parameters , the session index and a set of tokens ; it outputs 1 if and only contains legitimate group members, and it outputs 0 otherwise. Security Model: the following security properties are considered in the security model.

*Definition 1. *(correctness). If a set () of users are participating in the group authentication and they are all legitimate group members, then the group authentication will be successful. Formally, a group authentication scheme is said to have the correctness property if we haveIn the abovementioned expression, and .

*Definition 2. *(secrecy). The inside adversary cannot learn any secret information in the group authentication process. Formally, a group authentication scheme is said to have the secrecy property if we haveIn the abovementioned expression, is denoted as ’s view in the real run of the protocol , means computationally indistinguishable, and is denoted as ’s view of the transcripts simulated by a PPT simulator with only public information as inputs.

*Definition 3. *(no forgery). The inside adversary cannot pass the group authentication by herself. Formally, a group authentication scheme is said to have the no forgery property if we haveIn the abovementioned expression, denotes the users that are controlled by , such that and . Ω denotes an oracle that is used to query the group authentication service, and Σ records all the session indexes which have been queried.

*Definition 4. *(no impersonation). The outside adversary cannot impersonate a group member without being detected. Formally, a group authentication scheme is said to have the no impersonation property if we haveIn the abovementioned expression, is assumed to impersonate the user , where .

Computational assumptions: we assume that the following assumptions hold against any PPT algorithm.

*Definition 5. *(discrete logarithm (DL) assumption). The description of the finite cyclic group is given, where and is a generator of . The discrete logarithm assumption implies that there exists a negligible function such that for all PPT adversaries , we have

*Definition 6. *(computational Diffie–Hellman (CDH) assumption). The description of the finite cyclic group given, where and is a generator of . The computational Diffie–Hellman assumption implies that there exists a negligible function such that for all PPT adversaries , we have .

#### 5. An Improvement of Chien’s Scheme

##### 5.1. The Proposed Scheme

The improved multiple group authentication scheme in the asynchronous communication model works as follows:(i)Init: GM first selects two finite cyclic groups and with prime order , and a bilinear map . is denoted as a generator of . GM then selects a secret and sets . GM selects values for . GM associates the pairwise different integers with the group members. Finally, GM outputs the system parameters .(ii)Dist.: GM selects a random polynomial over with degree , such that . GM, then computes the credentials , and sends them to the group members through the secure channel.(iii)Comp: in the -th session, every participating user in first selects and broadcasts . Then, each user computes . As follows, every user computes and broadcasts her token as where is the Lagrange coefficient.(iv)Auth: In the -th session, every user can verify whether all the users are legitimate group members by checking:

##### 5.2. Security Analysis

Theorem 1. *Our modified group authentication scheme satisfies the correctness property.*

*Proof. *If and , the Lagrange interpolation implies that , where is the Lagrange coefficient. Moreover, because the AV-nets have the property that , we haveTherefore, the equation will hold, and the authentication will be successful.

Theorem 2. *Our modified group authentication scheme satisfies the secrecy property, assuming that the DL problem holds in .*

*Proof. *We denote as the real run of the protocol and as the protocol simulated by a PPT simulator with only public information as inputs.

:(i)Init: generates and outputs the system parameters .(ii)Dist: computes the credentials and sends them to the group members through the secret channel. Without loss of generality, we assume that the credentials are learnt by the inside adversary .(iii)Comp: in the -th session, every participating user in selects and broadcasts . Then, each user computes and broadcasts her token as . In this step, learns which are possessed by the corrupted users and all the broadcast values.(iv)Auth: in the -th session, everyone verifies whether .:(i)Init: the simulator outputs the system parameters .(ii)Dist: sends the credentials to the inside adversary .(iii)Comp: We denote . In the -th session, randomly selects values from and broadcasts for . sends to . , then, randomly selects values from and computes . Then, broadcasts the tokens .(iv)Auth: in the -th session, everyone verifies whether .We now prove that it is infeasible for the inside adversary to distinguish these two protocols. In the *Init* algorithm, the same public parameters are published in both protocols. In the *Dist* algorithm, the same credentials are learnt by in both protocols. In the *Comp* algorithm, both sets and are randomly distributed in , and all the broadcast values are randomly distributed in . In *Auth*, the algorithm will be successful in both protocols. Therefore, cannot distinguish between and because all these algorithms in ’s view are indistinguishable. In other words, we haveMoreover, based on the DL assumption, cannot learn any secret information of from the public information or . Hence, our modified scheme satisfies the secrecy property.

Theorem 3. *Our modified group authentication scheme satisfies the no forgery property, assuming that the CDH problem holds in .*

*Proof. *We denote as the event that can predict the value from the public parameters and as the event that has learnt some secret information through querying the oracle Ω. We denote as the event that outputs a successful forgery. Then, we haveIn the abovementioned expression, and denote the complements of and , respectively.

Firstly, we prove that is negligible. Assume that the inside adversary can predict the value from the public parameters with nonnegligible probability, e.g., derives from the equation . Then, we show that there exists another adversary who can use as a subroutine to break the CDH problem in with nonnegligible probability. The reduction works as follows: suppose is given the description of with prime order and is a generator of . Moreover, is given two random values and in , and ’s task is to compute . In the *Init* algorithm, simulates the public parameters by selecting another cyclic group with order , a bilinear map , as well as random values in . , then, sends to . In the *Dist* algorithm, selects random values in and sends them to . In the *Comp* algorithm, selects random values in and sends them to . also broadcasts the required number of random values in . Note that the abovementioned steps generate a simulated environment for that is indistinguishable from a real run of our modified scheme . If outputs her predict of , uses it to solve the *CDH* problem. Because it is assumed that the CDH assumption holds in , our hypothesis that can predicate the value from with nonnegligible probability must be false. Hence, we have for some negligible function .

Secondly, Theorem 2 implies that the real run of our modified scheme does not leak any secret information to , based on the DL assumption in . Also, the hybrid argument [16] further implies that does not learn any secret information even if she has queried the oracle polynomial number of times. Hence, we have for some negligible function .

Finally, we analyze the probability . In this case, needs to guess the value . Because is randomly distributed in and only controls at most group members, the probability of guessing correct in each trial is exactly . Recall that can try polynomial number of times, and we have , where denotes the number of trials has made.

Putting the abovementioned analyses together, assuming that the CDH assumption holds in , we havefor some negligible function . Therefore, our modified scheme satisfies the no forgery property.

Theorem 4. *Our modified group authentication scheme satisfies the no impersonation property, assuming that the CDH problem holds in .*

*Proof. *Denote as the event that can predict the value from the public parameters and as the event that can impersonate a group member without being detected. Then, we haveFirstly, we prove that is negligible. Assume that the outside adversary can predict the value from with nonnegligible probability. Then, one can prove that there exists another adversary who can use as a subroutine to break the CDH problem in with nonnegligible probability. The reduction is very similar as in Theorem 3. The main difference is that does not need to send any user’s internal states to . Hence, we have for some negligible function .

Next, we analyze the probability . In this case, needs to output a token , such that the equation holds, where the set denotes the other users’ tokens that has already learnt. Because is randomly selected in , the value is randomly distributed in . Moreover, because the value is unpredictable, the probability that outputs a valid token is exactly . Recall that can try polynomial number of times, and we have , where denotes the number of trials has made.

Putting the abovementioned analysis together, we conclude that , which is negligible. Therefore, our modified scheme satisfies the no impersonation property assuming that the CDH assumption holds in .

##### 5.3. Efficiency Analysis

We now give a brief efficiency analysis of our modified scheme. In the *Init* algorithm, GM selects the system parameters, including two finite cyclic group and , a bilinear map between these two groups, and some random values in . The computation of takes 1 multiplication in . In the *Dist* algorithm, GM selects a random polynomial over with degree and evaluates this polynomial at different points. When using Horner’s rule, each evaluation of takes multiplications and additions in , and each credential is a value in . In the *Comp* algorithm, each user broadcasts 2 values in in two individual rounds. The total computations for each user require at most multiplications and additions in . Note that, in this step, the Lagrange coefficients can be precomputed beforehand. In the *Auth* algorithm, each user performs at most additions in and 2 bilinear maps.

An efficiency comparison between our proposed scheme and Chien’s scheme [4] is given in Table 1. Denote the symbols , , , and as the computations of addition in , multiplication in , addition in , multiplication in , and bilinear pairing , respectively. Also, we ignore the other calculations, i.e., select a random element from a group, since their costs are negligible compared with the abovementioned computations.

#### 6. Conclusions

In this paper, we have pointed out a security flaw in an existing group authentication scheme by Chien [4]. If this scheme was used in the asynchronous communication model, the adversary can pretend to be a legitimate group member without being detected. The major reason for this attack is that the adversary is able to remove the Lagrange coefficients from the revealed tokens. We have employed the AV-net to solve this problem, and we have rigorously proved that our improvement satisfies the desirable security properties in a well-defined security model. Therefore, our proposed protocol can be safely used as a drop-in replacement for Chien’s scheme in asynchronous networks.

#### Data Availability

The authors confirm that no data were used to support this study.

#### Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

#### Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant nos. 61662016 and 61772224), Key Projects of Guangxi Natural Science Foundation (Grant no. 2018JJD170004), and Guangxi Key Laboratory of Trusted Software (Grant no. KX201908).